Can confidential computing stop the next big crypto heist?

Can confidential computing stop the next big crypto heist?

Amid the theft of billions of dollars in cryptocurrency over the past few months, confidential computing could play a role in protecting people’s money in the future.

Confidential computing aims to isolate sensitive data and code without exposing it to the rest of the host system – including other applications and users, malicious insiders, intruders, malicious administrators, and compromised kernels and hypervisors. It does this by processing data out of sight in private memory using hardware-based secure enclaves.

Fireblocks is one of many companies focusing on digital asset infrastructure for banks, cryptocurrency exchanges, NFT marketplaces, and other organizations that want to build blockchain-based products. And he argues that secure enclaves, when properly implemented and with the right host support, can be used to protect valuable secrets from intruders, compromised software, and malicious insiders.

“When you think about the security of digital assets, the first thing you need to protect is the wallet’s private key,” said Fireblocks co-founder and CTO Idan Ofrat. The register.

There are other technologies, such as cryptographic hardware security modules (HSMs) and other key management systems, that may be sufficient for your use case. In the digital asset space, these are not secure enough, Ofrat argued, of course.

You can set up secure VMs and containers to handle this information, though they can be attacked by malicious admins and low-level malware, which hardware-protected enclaves should be able to stop, in theory.

And there are, of course, ways to defeat today’s secure enclaves. But if they work as intended and intended, enclaves can offer a complete walled garden from snoopers in a way that simple virtual machines, for example, cannot. Again, in theory.

If you want to go very far, you can – for example – ask one party to store sensitive data in an enclave, ask another party to run their code in the protected space – with an attestation proving that the code n hasn’t been tampered with – and return a simple result to this second part.

In this way, the data from the first party is not exposed to the second party, and the second party can provide a service, such as detecting fraud or predicting a medical diagnosis. There are other forms of multiparty computing that can be used with these enclaves to protect the workloads and data of others on remote systems.

Private key security

“Confidential computing is much more powerful because it allows you to protect the whole flow, including the generation of the transaction, the policies you want to apply to this transaction and who approves it, and then also protects the private key itself,” Ofrat explained. .

That said: a lot of the billions of crypto coins stolen recently have been through smart contract bugs or poor access controls, as seen in the Ronin Bridge heist, which secure enclaves have may or may not have been able to stop. But in terms of blocking malicious entities on host servers, enclaves have potential use there.

Fireblocks uses confidential computing and multiparty computing to secure and use private keys. The specific implementation is based on the concept of threshold signatures, which distributes the generation of key actions among multiple parties and requires a “threshold” of those actions (e.g., five out of eight actions in total) to sign a blockchain transaction. .

“Off-the-shelf key management products like HSMs don’t support the algorithm you need for multiparty computation,” adds Ofrat. “So for us to be able to both protect the key but also use multiparty computation to split the key into multiple shards, the only way to do that is through confidential computing.”

All major cloud providers have their own flavor of confidential computing, and at their respective conferences last month, Microsoft and Google added services to their confidential computing portfolios.

Choose your flavor

Google, which first introduced its Confidential Virtual Machines in 2020, last month announced Confidential Space, which offers secure multi-party collaboration. According to Sunil Potti, vice president and general manager of Google Cloud Security, this will allow organizations to work on sensitive data privately while strictly limiting access to that information.

For example, banks can work together to identify fraud or money laundering activity without exposing customers’ private information to additional parties and without violating data privacy laws in the process. Likewise, healthcare organizations can share MRI images and collaborate on diagnosis while locking down who can and cannot access the data, Potti said at the event.

At the same time, Microsoft also announced the general availability of its confidential virtual machine nodes in Azure Kubernetes Service in October. Redmond first demonstrated confidential computing at its Ignite conference in 2017, and Azure is widely considered the most mature provider of this still-nascent technology.

Amazon calls its confidential computing product AWS Nitro Enclaves, but as any cloud customer whose data is spread across multiple environments quickly discovers, the providers’ services don’t always work well with each other. This is true for confidential computing technologies, which have created a market for companies like Anjuna Security.

Or use cloud-independent software

Anjuna has developed confidential computing software that enables enterprises to run their workloads on any hardware and in the secure enclaves of any cloud provider without having to rewrite or modify the application. This makes securing sensitive data really easy, says Ayal Yogev, CEO and co-founder of Anjuna The register.

He compares his company’s cloud-agnostic software for confidential computing to the ease of transitioning to HTTPS for website protection. “We make it super easy to use.”

Anjuna’s clients include the Israeli Ministry of Defense, banks and other financial services companies, and digital asset managers.

While Fireblocks started using Azure Confidential Computing when the service was in preview, and its core is Intel SGX-based for secure enclaves, “we want to give customers options, like AWS Nitro or GCP,” Ofrat says. . “Customers can choose any cloud partner they want, and Anjuna supports them all.”

Will it become mainstream?

A recent survey by the Cloud Security Alliance [PDF]commissioned by Anjuna, revealed that 27% of respondents currently use confidential computing and 55% plan to do so within the next two years.

Ofrat says he expects confidential computing to become more common in cloud environments over the next three to five years.

“This will support Web3 use cases, but also government and healthcare use cases around privacy,” he adds.

The benefits of confidential computing even extend to protecting against ransomware and IP theft, Ofrat tells us, noting the Disney movie theft rumor in which scammers allegedly threatened to release movie clips unless that the studio pays a ransom.

“They could use this simple technology and encrypt movies before they’re released,” he says. “Technology can be really beneficial.”

And keeping stolen cryptocurrency out of the hands of scammers wouldn’t be such a bad thing either. ®

#confidential #computing #stop #big #crypto #heist

Leave a Comment

Your email address will not be published. Required fields are marked *